Method and apparatus for controlling the distribution of digitally encoded data in a network

ABSTRACT

An apparatus and a method for controlling distribution of digital content from an device attached to a network to another device outside the network. The device receives a digital signal containing content, the digital signal having an authorization field indicative of a first transport mode authorizing the content for distribution outside the network, and of a second transport mode wherein the content is not authorized for transmission outside the network. The method comprises the steps of receiving location information of a router on the network for routing content to devices outside the network, receiving destination data indicative of location information associated with a destination device to which the device intends to distribute the content, determining whether the destination device is outside the network based on the router location information and the received destination data examining the authorization field and, inhibiting transmission of the content if the destination device is outside the network and the digital signal is in the inhibit mode.

RELATED APPLICATIONS

The present application claims priority under 35 U.S.C. § 119 ofProvisional Patent Application Ser. No. 60/387,054 entitled “Proposal onthe Use of the BPDG Broadcast Flag” filed on Jun. 7, 2002.

FIELD OF THE INVENTION

The present invention relates to communication systems generally and,more particularly, to a system and method for protecting unauthorizeddistribution of content to a remote network location.

BACKGROUND OF THE INVENTION

Content creators and providers, such as movie studios, productioncompanies and service providers (ISPs), have a need for protecting theirinvestment, for example, movies, programming, services, software, andthe like. Such content has typically found its way to the consumerthrough terrestrial broadcasts, premium programming, cable or satellitechannels, pay-per-view events, and retail sales and rentals ofvideocassettes.

In terrestrial broadcasts, program content is transmitted in digitalformat to an access device such as a digital receiver. The nature ofdigital storage and transmission allows endless generations of copies tobe produced with the same quality as the original master. Furthermore,unless the signal is encrypted, the received content may be easilycopied and/or forwarded to additional products or devices not intendedor authorized to receive such content. Moreover, products with digitaloutputs allow for the convenience of networked systems and higherquality recording and re-transmission of data. A home network, whichreceives content for display and storage, must now also protect contentagainst illegal copying or distribution.

It has been proposed that a broadcast flag (BF) be carried in a digitalsignal such as a video broadcast stream, for the purpose of identifyingthat the digitally encoded data (such as video content) shall not betransmitted outside of the receiving device's own network. As usedherein, the term content includes the digital signal, or the digitallyencoded data, that is used to carry the program content. The flag may becarried in the PMT/EIT field of an MPEG-2 transport stream, for example,as a field comprising one or more bits. Currently, however, no mechanismexists for implementing how a network such as a home network shouldhonor the flag so that content is not transmitted outside of thenetwork.

One possible solution is to add additional flags into other portions ofthe digital signal, such as an Ethernet header, to signify to a router,cable modem and the like, that the content should not be forwarded tothe outside world. Another proposal would require the use of onlyprotected (encrypted data) interfaces such as IEEE 1394 with SC or DVIwith HDCP. However, such implementations have the disadvantage ofrequiring costly changes to the infrastructure of existing (as well asfuture) home networks. Such infrastructure changes would significantlyimpede the trend of customers using their home network to distributecontent to other electronic devices within their own home, therebystifling a very promising market for home user electronic devices andcontent distribution within a home network.

SUMMARY OF THE INVENTION

The present invention provides a method for controlling distribution ofdigitally encoded content from an access device attached to a network toanother device outside the network, the access device receiving adigital signal representative of program content, the digital signalhaving an authorization field indicative of a first transport modeauthorizing the distribution of the content outside the network, and ofa second transport mode inhibiting the distribution of the contentoutside the network. The method comprises the steps of receivinglocation information of a router on the network that is used for routingcontent to devices outside the network; receiving destination dataindicative of location information associated with a destination deviceto which the access device intends to distribute the content;determining whether the destination device is outside the network basedon the router location information and the received destination data;examining the authorization field and, controlling the distribution ofthe content in response to the determination of whether the device isoutside the network and whether the transport mode authorizes orinhibits the distribution of the content outside the network.

In another aspect, the present invention also provides a device coupledto a network for distributing content to at least another device, theaccess device receiving a digital signal representative of programcontent, the digital signal including an authorization field indicativeof a first transport mode wherein authorizing distribution of thedigital signal is authorized outside the network, and a second transportmode inhibiting distribution of the digital signal outside the network.The device comprises memory having stored therein computer code forexecuting a send operation for transmitting data on the network; aprocessor for controlling data receiving and transmitting operations ofthe device, the processor including data storage means for storingaddress information of devices connected to the network; and datainterface means, coupled to the network, for receiving data from devicesattached to the network, and for distributing the digital signals on thenetwork, wherein the processor inhibits transmission of the digitalsignal on the network in response to a determination that the device isoutside the network and that the authorization field is indicative ofthe second transport mode, otherwise, the processor enables transmissionof the digital signal on the network.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a home network system embodying an aspectof the present invention.

FIG. 2 is an exemplary block diagram illustrating major functionalcomponents associated with the propagation and reception of packetsrepresentative of video frame transport stream information.

FIG. 3 is a block diagram of a transport stream.

FIG. 4A is an exemplary illustration of PAT and PMT linkage containing abroadcast flag authorization field within a transport stream.

FIG. 4B is an exemplary illustration of an EIT containing a broadcastflag authorization field within a transport stream.

FIG. 5 is a flow chart illustrating an exemplary method of operationaccording to an embodiment of the present invention.

DETAILED DESCRIPTION

Referring now to FIG. 1, there is shown a home network system 10comprising a plurality of access devices 20, 30, 40, 50, 60 coupled viaa home network such as Ethernet network 70 through switch 80 torouter/gateway device 90. Home router 90 bridges multiple externalservice providers (e.g. internet 100) and remote devices (e.g.electronic device 110 or optional modem 95) outside the home network toenable communications with home network 70. For example, router 90 iscapable of receiving and forwarding media feeds from terrestrialbroadcast sources, satellite broadcasts, cable and the like, via acorresponding interface (e.g. terrestrial broadcast I/F, satellite I/F,asynchronous digital subscriber line I/F, etc.). It is understood thatthe router 90 is capable of IP routing and transport stream routing ofdata packets via an appropriate protocol, such as MPEG-2 for example, tovarious consumer electronic devices both inside and outside the homenetwork.

In the exemplary embodiment depicted in FIG. 1, router 90 is aconventional router device having a mapping table for mapping device IPaddresses to physical addresses for routing data into and/or outside ofthe home network. The access devices 20-60 located within the homenetwork may be any one of a number of consumer electronic devices,including but not limited to servers, digital televisions and monitors,MP3 and DVD devices, printers and print serves, Personal computers (PCs)and the like. In the exemplary configuration of FIG. 1, device 20 is aTelevision device such as an HDTV coupled via bus 25 to media rendererdevice 30 (e.g. Replay 4000). The exemplary home network system 10 shownin FIG. 1 further includes media server 40, MP3 network player 50 andpersonal computer (PC) 60. Each of these devices has an associated IPaddress, physical address and subnet mask, as is understood in the art.

Router 90 is operable to receive a digital signal such as an MPEG-2 openterrestrial broadcast signal and forward the signal to the appropriatereceiving device on the home network. Note that other such terrestrialbroadcast signals may also be received and processed for transfer to thehome network 10, such as MPEG-1, MPEG-4, JPEG, and the like.

The receiving/access devices within the home network are configured withappropriate hardware and/or software functionality to receive and decodepacketized data such as MPEG-2 transport streams containingaudio/video/data content. Compression algorithms at the source of thebroadcast operate to reduce the required bandwidth for the transmissionmedium and yet maintain reasonable video quality at the receiver.

FIG. 2 is an exemplary illustration of an arrangement whereby videoframe content is transmitted via packets through Ethernet packet network70 illustrated in FIG. 1. Each video frame produced by a standard source(not shown), as exemplified by frame 210 serving as the input to atransmitter 201, is compressed by encoder 220 with reference to anencoding program stored in program memory 225, and the encoded output221 is formatted into packets 231 by data packetizer 230. Transmitterprocessor 235 controls the interactions of encoder 220 with programmemory 225, and also provides the necessary control information so as toform packets 231. Packets 231 are transmitted via packet network 70 anddetected by an access device (e.g. 30) where the packets are processedby data extractor 250 of the access device to produce the receivedcounterpart 251 of compressed output 221 in transmitter 201. Theresulting data stream 251 is decompressed and decoded by decoder 260 toproduce received frame 211 corresponding to the content provided inframe 210.

In the exemplary embodiment depicted herein, data packetizer 230generally includes elements corresponding to the MPEG-2 standard, forgenerating: (a) an elementary stream (ES) of encoded video; (b) apacketized elementary stream (PES) from the elementary stream; and (c) atransport stream from one or more PESs to derive the MPEG-2 packets 231ready for transport over network 70. The encoded video is processed byadding information that is used to reconstruct the frames at thereceiving end. Such information includes, for example, timinginformation (e.g., the Presentation Time Stamp (PTS) and the Decode TimeStamp (DTS)), clock reference information (e.g. PCR) and PMT/EIT data.Thus, in a generic sense, data packetizer 230 transforms the encodedvideo to the transport stream which contains all necessary informationto re-transform the transport stream to derive the content.

In the home network system illustrated in FIG. 1, one or more of theaccess devices (20, 30, 40, 50, 60) is operable for both receivingcontent transmitted via an MPEG-2 transport stream and also operable fortransmitting or re-distributing the content to another device whichresides either within home network 70 or external to the network. Suchtransmission is accomplished using a “protocol stack” comprising“applications/service” level layer application for producing the encodedMPEG-2 audio/video/data stream packet; “transport” level layerapplications for encapsulating each packet in the MPEG-2 stream byappending headers (e.g. RTP, UDP headers); “Network” level layerapplications for further encapsulating the prior layer by appending theIP header information, including for example, routing or re-routinginformation. “Data Link” level layer applications accomplishes errorcontrol and access control and further encapsulates the resultingpackets by appending an Ethernet header for instance. “Physical” levellayer applications engender the actual transmission at the bit-level.

In one configuration, the access device 30, in addition to the receivingfunction shown therein, would also include each of the functionalelements illustrated in the transmitter portion 201 of FIG. 2 fortransmitting and/or re-distributing content received in the transportstream to another device.

In accordance with an aspect of the present invention, when an accessdevice within a home network receives a terrestrial broadcast signal asdescribed above, the device may be functionally capable of distributingthe content contained in the broadcast signal to another device, eitherwithin the network or outside the network via a home router.Nevertheless, it may be desired to place certain restraints on there-distribution of such content to other devices outside of the homenetwork, based on the nature of the content, for example.

According to an aspect of the present invention, functionality providedwithin the access device itself at the software application leveloperates to determine whether the content is to be distributed outsidethe network (based on a flag contained in a portion of the transportstream packets), without requiring modification to the infrastructure ofthe home network environment.

In present home network configurations a home router may be configuredto perform Network Address Translation (NAT) as described in RFC 3022,for example. The router receives a packet and examines the packet'sdestination IP address. Based on the subnet mask and its own local IPaddress, the router determines whether the packet is intended for thehome network or whether it is intended for a destination device outsideof the home network. If the packet is intended for a destination outsideof the home network, the router forwards the packet to an externaladdress after substituting its own public IP address into the packet'ssource IP address field. When the destination device responds, itresponds back to the public IP address of the router. The routerreceives the response and maps it to the request, thereby determiningwhich device inside the home network made the original request. Therouter places the destination device's local IP address into thedestination field and forwards it on to the originating device.

In accordance with the configuration shown in FIG. 1, each device on anEthernet network has a physical address and an IP address. As shown inFIG. 3, in an exemplary embodiment, terrestrial broadcast signal 300comprising an MPEG-2 transport stream intended for access device 30(FIG. 1) within home network 70 includes a header/payload pair, namely,header 301 and its accompanying payload 302, header 303 and itsaccompanying payload 304, and so forth. Header 301 is generallyfour-bytes long, and payload 302 is 184-bytes. Transport stream 300 isemitted by data packetizer 230 of FIG. 2. Each header contains variousheader information including PD (Packet Identifier) field data. Inaddition, the payload is composed of components of the compressed video(or in other applications, audio, data, and teletext/closed captioning),as well as referencing information. Payload 302 includes ProgramAssociation Table (PAT) information, which associates a PID with a givenprogram or collection of streams within a common timebase, and ProgramMap table (PMT) information, which provides more detailed referencinginformation to further define the mapping between the encoded videostream and the actual packets prepared for transmission, and is used atthe receiving end to properly decode the Transport Stream. FIG. 4Aillustrates an exemplary configuration linking a given PID 110 to thecorresponding PAT 320 and PMT 420.

PMT 420 lists, as identified by row, the Stream Identifier, the Type ofsignal (e.g., video, audio, data), a PID assigned to that type by thesource, and an authorization field 430 such as a broadcast flag (BF) orredistribution control descriptor carried in the video broadcast streamfor the purpose of signifying information to downstream applicationsrelating to authorization for the redistribution of content in thestream. In one embodiment, the broadcast flag (BF) is a single bitwithin the PMT field of the MPEG-2 transport stream, as shown in FIG.4A. However, additional numbers of bits may be used, for example, tocommunicate additional information for processing by the access device.

According to a predefined convention, a BF bit value “0” indicates thatthe content within the transport stream packet is authorized forre-distribution to devices outside the home network (i.e. “transportmode”). Conversely, a BF bit value “1” indicates that the content withinthe transport stream packet is not authorized for re-distributionoutside the home network (i.e. “inhibit mode”).

Alternatively, another field within the broadcast stream, such as theEvent Information Table (EIT) 450 shown in FIG. 4B, may include thebroadcast flag (BF) for determining authorization. FIG. 4B illustratesan exemplary EIT showing a broadcast start time and a broadcast durationof the object program (PID), along with the BF flag indicatingauthorization for re-distribution. The EIT may be multiplexed in thetransport stream for reception and decoding by the access device. Oneexemplary implementation may include the BF flag in both the EIT and PMTfor terrestrial broadcasts, while, for example, for cable transport, theBF flag shall be present in the PMT, and, when the EIT is carried, inthe EIT, according to a given protocol (e.g. ATSC standard). The BF mayappear periodically within the transport stream.

According to an aspect of the present invention, when an access devicereceives the broadcast signal and decodes the transport stream, thedevice parses the PMT/EIT field and determines the status of the BF flag430 indicative of whether the content is authorized for re-distributionoutside the home network. A software application module or hardwarecircuitry may be configured to examine the received payload data torecover the BF flag based on its corresponding table entry and locationwithin the transport stream.

In conjunction with the home network system of FIG. 1, there is shown inFIG. 5 a method for carrying out the present invention of inhibitingunauthorized re-distribution of content according to an exemplaryembodiment. When access device 30 (FIG. 1) is connected to home Ethernetnetwork 70 and operable to both receive incoming audio/video/databroadcast streams (step 500) and to retransmit or redistribute thecontent contained therein, the access device, prior to redistributingthe received content, performs the following acts.

The access device obtains location information associated withgateway/router 90 by performing an ARP (address resolution protocol) onthe router IP address to obtain the physical address of the router (step505). The physical address is then stored in memory (step 510). Thecontent intended to be transmitted to a destination device in the formof a packet is then formatted (steps 515, 520) in accordance withpredefined format and convention. The access device broadcasts a requestfor location information for the destination device (step 525) to whichthe content from the access device is intended to be transmitted to.This may be accomplished by broadcasting an ARP for the destination IPaddress to obtain the physical address of the destination device. If thedestination device is on the home network, the destination device willrespond to the access devices request by providing its physical addressto the access device.

When router 90 receives the broadcast ARP message, the router determinesif the destination IP address is in the local subnet by comparing theportion of the address masked by the subnet mask with the portion of itsown address masked by the same subnet mask (step 530). If the routerdetermines that the destination device is outside the local network, therouter returns its own physical address for the requested remotedestination IP address (step 535).

The access device 30 receives the response to its request for locationinformation for the destination device (step 540) and compares thephysical address returned in response to the ARP (step 525) with thephysical address of the router 90 that was previously stored in memory(step 505). If the physical address returned is the same as the gatewayaddress stored in memory (step 545) then the packet to be transmitted isdestined for a device outside of the local home network. In this case,the access device then parses the PMT payload field to recover thebroadcast flag and determine whether the flag is set (step 550). If theflag is set (indicative of content not authorized for external networkdistribution) the access device discards the packet (step 555) andawaits the next data packet to format and process (step 515)

In the case where the broadcast flag in the transport stream packet isnot set (step 550), the access device finishes formatting the packet andtransmits the packet to the router 90 for routing the content to thedestination device outside the home network (step 560). The accessdevice also completes packet formation and transmission to thedestination device directly upon determination that a physical addressreturned in response to the ARP broadcast is different than the physicaladdress associated with router 90 (steps 540, 545), indicating that thedestination device is within the home network and thus authorized forredistribution within a local environment.

The present invention is embodied in machine executable softwareinstructions within the access device, and the present invention iscarried out in a processing system by a processor executing theinstructions. In other embodiments, hardwired circuitry may be used inplace of or in combination with software instructions to implement thepresent invention. The computer instructions embodying the presentinvention may be loaded into memory from a persistent store such as amass storage device and/or from one or more other computer systems overa network. For example, execution in some embodiments that downloadedinstructions may be directly supported by the microprocessor anddirectly executed by the processor. Alternatively, the instructions maybe executed by causing the microprocessor to execute an interpreter thatinterprets the instructions by causing the microprocessor to executeinstructions, which convert the instructions into a format that can bedirectly executed by the microprocessor. Thus, the present invention isnot limited to any specific combination of hardware circuitry andsoftware, nor to any particular source for the instructions executed bythe access device.

As described in the above exemplary embodiments, the present inventionexploits the difference between an IP address on the local network andan IP address outside the local network wherein the distinction betweenthe address spaces may be determined by subnet masks and gatewayaddresses. The present invention implements a mechanism for inhibitingthe unauthorized redistribution of content by parsing packet informationwithin the transport stream and determining whether the broadcast flagis set, whereby the application shall not forward the content to an IPaddress that is outside of its local subnetwork as defined by the subnetmask and gateway addresses.

Although the invention has been described in terms of exemplaryembodiments it is not limited thereto. For example, as an added level ofsecurity, the home network may use non-routable IP addresses (i.e.private addresses). That is, certain IP addresses are reserved accordingto predetermined standards and conventions such as the IETF standard.The mapping table associated with Internet routers (i.e. those deviceswithin internet 100 of FIG. 1) would thus not include these non-routableaddresses. Accordingly, in the event that unauthorized content isinadvertently distributed outside of the home network, those routersreceiving this information would be unable to forward it to its intendeddestination (as this is a non-routable address) and therefore drop thepacketized data. If additional protection is desired, authenticationmechanisms and encryption protocols may be utilized to provide furthersecurity and guard against unauthorized access and redistribution ofcertain protected content. The access device that intends to forward thecontent over the home network would then be required to ensure that theapplication that it would like to forward the content to is a trustedand compliant application. Alternatively, the access device can beconfigured to package the content into an IP stream using a differentpacking format according to a predefined convention that would berecognizable only to compliant devices.

Although the invention has been described in terms of exemplaryembodiments, it is not limited thereto. For example, although thepresent embodiment is described with reference to an access device thatis able to receive digital signals from a broadcast source such as, butnot limited to, terrestrial broadcast source, a cable system, it isclear that the above described method of controlling the distribution ofdigital signals can be used with any device attached to a network, suchas a home network. The appended claims should be construed broadly toinclude other variants and embodiments of the invention, which may bemade by those skilled in the art without departing from the scope andrange of equivalents of the invention.

1. In a device attached to a network, a method for controllingdistribution of data from the device to another device via the network,the method comprising the steps of: receiving a digital signalrepresentative of program content, the digital signal having anauthorization field indicative of a first transport mode authorizingdistribution of the digital signal outside the network, and of a secondtransport mode inhibiting distribution of the digital signal outside thenetwork; determining whether a destination device to which the digitalsignal is to be distributed is outside the network; determining whetherthe authorization field is indicative of the first or second transportmode; and inhibiting transmission of the digital signal in response todetermining that the authorization field is indicative of the secondtransport mode and the destination device is outside the network,otherwise, transmitting the digital signal to the destination device. 2.The method of claim 1, wherein the first determining step comprises thesteps of: receiving location information of a router on the network thatis used for routing data to devices outside the network; receivingdestination data indicative of location information associated with adestination device to which the program content is to be distributed;and determining whether the destination device is outside the network bydetermining whether the destination data corresponds to the locationinformation of the router.
 3. The method of claim 2, wherein the digitalsignal comprises transport stream packets.
 4. The method of claim 3,wherein for each transport stream packet, a payload portion is examinedto determine whether the authorization field associated with that packetindicates whether the content is authorized for transmission outside thenetwork when the destination device is outside the network, and whereinthe inhibiting step comprises discarding the packet in response to thedetermination.
 5. The method of claim 4, wherein the step of receivinglocation information of the router comprises receiving a physicaladdress of the router and storing the address in memory.
 6. The methodof claim 5, wherein the step of receiving destination data comprisesreceiving a physical address of a device on the network in response to abroadcast ARP request from the device.
 7. The method of claim 6, whereinthe first determining step comprises comparing the received physicaladdress of the device on the network with the physical address of therouter.
 8. The method of claim 1, wherein the device is an accessdevice, and the method further comprises the step of accessing thedigital signal from a broadcast source.
 9. The method of claim 1,wherein the digital signal comprises an MPEG-2 transport stream.
 10. Themethod of claim 9, wherein the authorization field is included in thePMT.
 11. A device coupled to a network and adapted to distribute data toother devices connected to the network, the device comprising: means forreceiving a digital signal representing program content, the digitalsignal including an authorization field indicative of a first transportmode wherein distribution of the digital signal outside of the networkis authorized, and of a second transport mode wherein distribution ofthe digital signal outside of the network is inhibited; memory encodedwith computer code for executing a send operation for transmitting dataon the network; a processor for controlling data receiving andtransmitting operations of the device, the processor including datastorage means for storing address information of devices connected tothe network; and data interface means, coupled to the network, forreceiving data from devices attached to the network, and fordistributing the digital signals on the network, wherein the processorinhibits transmission of the digital signal on the network in responseto a determination that the device is outside the network and that theauthorization field is indicative of the second transport mode,otherwise, the processor enables transmission of the digital signal onthe network.
 12. The device according to claim 11, wherein the datainterface means is adapted to receive address information associatedwith a router attached to the network that is used to routing data todevices outside the network and to receive address informationassociated with the destination device, and the processor determineswhether the destination device is outside the network by comparing theaddress information of the router and the addressing information of thedestination device.
 13. The device of claim 11, wherein the computercode comprises: computer program code for formatting an IP packetcontaining content to be distributed to a destination device; computerprogram code for comparing a physical address of the destination devicewith a physical address associated with the router on the network todetermine whether the destination device is outside the network; andcomputer program code for inhibiting transmission of packet data inresponse to a determination that the authorization field is in thesecond transport mode and the destination device is outside the network.14. The device of claim 11, wherein the digital signal comprises anMPEG-2 open data stream.
 15. The device of claim 14, wherein theauthorization field is included in the PMT.
 16. The device of claim 11,wherein the device comprises an access device and the receiving meanscomprises means for receiving the digital signal from a broadcastsource.
 17. The device of claim 16, further comprising means forauthenticating the destination device using an authentication protocol.18. The device of claim 17, wherein interface means discards the datapackets in response to the determination of the second transport modeand the destination device being outside the network.